CODEWITHSUNDEEP
ansible
user2569618
user2569618

Reputation: 687

How to do an Ansible condition test of user/group existence?

As new nodes (CentOS 7.6) are added, there are basic groups and users that need to be created. Some of the nodes have some of the groups and users. I would like to only create the groups and users on the nodes where they don't exist via my Ansible (version 2.8.0) basic role file.

Currently, I'm testing for the group/user, but the there's always a "fatal" printed and my conditionals don't appear to work.

roles/basic/tasks/main.yml

- name: "Does k8s group exist?"
  shell: grep -q "^k8s" /etc/group
  register: gexist

- name: "Create k8s group"
  shell: groupadd -g 8000 k8s
  when: gexist.rc != 0    

- name: "Does k8s user exist?"
  shell: id -u k8s > /dev/null 2>&1
  register: uexist

- name: "Create k8s user"
  shell: useradd -g 8000 -d /home/k8s -s /bin/bash -u 8000 -m k8s
  when: uexist.rc != 0

which yields:

TASK [basic : Does k8s group exist?] *****************************************************************************************************************************
fatal: [master]: FAILED! => {"changed": true, "cmd": "grep -q \"^k8s:\" /etc/group", "delta": "0:00:00.009424", "end": "2019-05-29 14:42:17.947350", "msg": "non-zero return code", "rc": 1, "start": "2019-05-29 14:42:17.937926", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}
fatal: [node3]: FAILED! => {"changed": true, "cmd": "grep -q \"^k8s:\" /etc/group", "delta": "0:00:00.012089", "end": "2019-05-29 06:41:36.661356", "msg": "non-zero return code", "rc": 1, "start": "2019-05-29 06:41:36.649267", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}
fatal: [node1]: FAILED! => {"changed": true, "cmd": "grep -q \"^k8s:\" /etc/group", "delta": "0:00:00.010104", "end": "2019-05-29 14:42:17.990460", "msg": "non-zero return code", "rc": 1, "start": "2019-05-29 14:42:17.980356", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}
changed: [node2]

There has got to be a better to do conditionals (if-then-else) than the way I'm doing it.

Upvotes: 0

Views: 406

Answers (1)

Vladimir Botka
Vladimir Botka

Reputation: 68034

See user and group. The code below is probably what you're looking for.

- name: "Create k8s group"
  group:
    gid: 8000
    name: k8s

- name: "Create k8s user"
  user:
    group: k8s
    home: /home/k8s
    shell: /bin/bash
    uid: 8000
    name: k8s

The only if-then-else in Ansible I'm aware of is the ternary filter (for other options see jinja). The control flow is rather poor in Ansible compared to other procedural languages. It's because of the code rather defines a state of the system then a procedure.

To answer your question:

How to do an Ansible condition test of user/group existence?

Your code does it correctly, but the purpose of Ansible is to define the state of the system. It's not important a user or group existed before or not. After successfully having run the code they will exist (definition of a state) and running the code again makes sure they still exist (audit).

Upvotes: 1

Related Questions